CISA rolls out binding operational directive to secure internet-facing networked device systems, mitigate risk

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a binding operational directive calling federal agencies to secure Internet-exposed management interfaces. The agency will start scanning federal agencies for vulnerable network devices, and further require them to either disconnect these devices from the internet or tighten access controls.

The compulsory direction to federal, executive branch, departments, and agencies for safeguarding federal information and information systems establishes core security actions to reduce cyber risk across federal civilian enterprises. The rationale behind the binding operational directive is that cyber adversaries are increasingly targeting network infrastructure as endpoint protections improve. 

Published Tuesday, Binding Operational Directive (BOD) 23-02, Mitigating the Risk from Internet-Exposed Management Interfaces, requires federal civilian agencies to remove specific networked management interfaces from the public-facing internet. It also suggests implementing zero-trust architecture capabilities that enforce access control to the interface within 14 days of discovery. A ‘networked management interface’ has been defined as a dedicated device interface that is accessible over network protocols and is meant exclusively for authorized users to perform administrative activities on a device, a group of devices, or the network itself.

The intent of the binding operational directive is not to conflict with product vendor recommendations but to complement the existing hardening recommendations. Most vendors include guidance on how to prevent exposure of these interfaces to the public-facing internet. At the minimum, agencies are expected to have policies (management controls) in place that require all management interfaces on existing and newly added devices, identified as in scope for the directive, to have at least one of the required protections in place. Wherever technically feasible, agencies should also have automated ways (technical controls) to scan for and discover interfaces in the scope of the directive.

The requirements in the binding operational directive apply only to devices residing on or supporting federal information systems and/or networks that belong to one of the following classes – routers, switches, firewalls, VPN concentrators, proxies, load balancers, and out-of-band server management interfaces (such as iLo and iDRAC); and devices for which the management interfaces are using network protocols for remote management over the public internet, including, but not limited to: hypertext transfer protocol (HTTP), hypertext transfer protocol secure (HTTPS), file transfer protocol (FTP), simple network management protocol (SNMP), teletype network (Telnet), trivial file transfer protocol (TFTP), remote desktop protocol (RDP), remote login (rlogin), remote shell (RSH), secure shell (SSH), server message block (SMB), virtual network computing (VNC), and X11 (X Window System).

The directive does not apply to web applications and interfaces used for managing cloud service provider (CSP) offerings, including but not limited to application programming interfaces (APIs) or management portals.

CISA outlined that recent threat campaigns underscore the grave risk to the federal enterprise posed by improperly configured network devices. As part of the efforts by the agency and the U.S. government to move the federal civilian enterprise to a more defensible posture, the directive will further reduce the attack surface of the federal government networks. As federal civilian agencies implement this mandate, CISA will monitor and support agency adherence and provide additional resources as required. CISA is committed to using its cybersecurity authorities to gain greater visibility and drive timely risk reduction across federal civilian agencies.

“Too often, threat actors are able to use network devices to gain unrestricted access to organizational networks, in turn leading to full-scale compromise,” Jen Easterly, CISA director, said in a media statement. “Requiring appropriate controls and mitigations outlined in this Directive is an important step in reducing risk to the federal civilian enterprise. While this Directive only applies to federal civilian agencies, as the threat extends to every sector, we urge all organizations to adopt this guidance. When it comes to reducing cyber risk and ensuring resilience, we all have a role to play.”

The binding operational directive calls upon federal civilian executive-branch agencies to within 14 days of notification by CISA or discovery by an agency of a networked management interface in scope for this directive, agencies will at least remove the interface from the internet by making it only accessible from an internal enterprise network (CISA recommends an isolated management network); or deploy capabilities, as part of a zero trust architecture, that enforce access control to the interface through a policy enforcement point separate from the interface itself (preferred action).

Agencies will implement technical and/or management controls to ensure that all management interfaces on existing and newly added devices, identified as in scope for this Directive, have at least the interface removed from the internet by making it only accessible from an internal enterprise network (CISA recommends an isolated management network); or the interface is protected by capabilities, as part of a zero trust architecture, which enforces access control to the interface through a policy enforcement point separate from the interface itself (preferred action).

Agencies must take at least one of two possible options—remove the interface from the internet and/or protect it with zero trust-aligned capabilities. Addressing whether CISA has a preference, the agency said in implementation guidance that it ‘strongly encourages agencies to implement Zero Trust concepts where technically feasible. These concepts can be found in OMB M-22-09, NIST 800-207, the TIC 3.0 Capability Catalog, and CISA’s Zero Trust Maturity Model. However, CISA also understands that due to short remediation timeline requirements, it may be quicker and more efficient to remove the interface from the public-facing internet as a first step.”

When it comes to zero trust architecture, CISA requires that the policy enforcement should be separate from the device itself to provide protection against vulnerabilities or compromise in the management interface. “Some devices host their own policy enforcement points (PEP) on the device itself, which can be used to provide finer-grained policy and access to the device’s management interface. However, a separate policy enforcement point should be used to provide the first line of defense in a defense-in-depth strategy. Two examples of separate policy enforcement points could be SASE-based private access solutions or access proxies,” the guidance document added.

CISA said that it will scan for devices and interfaces in the scope of the binding operational directive and notify agencies of all findings. It will provide federal agencies a reporting interface and standard remediation plan templates if remediation efforts exceed required timeframes, and engage agencies to review status and provide technical expertise for hardening specific devices, as requested and as appropriate. The agency will also engage agency CIOs, CISOs, and SAORMs throughout the escalation process, if necessary.

Within two years following the issuance of the binding operational directive, CISA will review and update this directive as needed to reflect changes in the general cybersecurity landscape and revise guidance to help agencies better identify, track, and report the networked management interfaces they operate. Additionally, CISA will provide additional guidance to agencies through its website, updates to this directive, and individual engagements upon request. 

Furthermore, within six months of issuance and subsequently, yearly, CISA will submit a report on the status of the Federal Civilian Executive Branch (FCEB), about their compliance with this directive, to the secretary of DHS (Department of Homeland Security) and the director of OMB (Office of Management and Budget).

Within 30 days, CISA will begin to provide reports to agencies identifying devices that fall within the scope that may be on the public-facing internet. 

In case an agency cannot mitigate an identified interface within 14 days due to technical or operational reasons, then the agencies should notify CISA immediately of any instances where they don’t anticipate meeting required deadlines through ‘[email protected],’ and will need to complete and submit to CISA a standard remediation plan template within the 14-day required timeframe.

Last week, cybersecurity agencies released a guide to help network administrators and defenders secure remote access software, delivering a collaborative effort and providing an overview of common exploitations and associated tactics, techniques, and procedures (TTPs) used by cyber threat actors. It also includes recommendations to IT/ OT (operational technology) and ICS (industrial control systems) professionals and organizations on best practices for using remote capabilities while detecting and defending against malicious actors abusing this software.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.